Leading up to TECHSHOW 2019, you can find great content from last year’s TECHSHOW 2018 here at our blog. Our first post comes from last year’s “Securing Your Documents” paper written by Heidi Alexander and Shamla Naidoo.
In most law firms, the most popular format for storing sensitive information is in document. Protecting these documents, particularly if they contain client information, is of paramount importance to the law firm. There are a number of different methods that can be used to protected documents from data leakage. Popular options include password protection, encryption, and banners in documents to indicate the intended use or recipient. But, not all methods are equal and we will tell you why.
First, you must identify and classify the data and data sources.
The most important step is to understand the data and classify it appropriately. Classification and labeling enables you to understand the kinds of information your organization has. Different classifications may require different security measures. For example, many state data privacy statutes require special protections for documents that contain “personal information” such as social security numbers, financial account numbers, and driver’s license numbers. These documents should be classified as a high level of sensitivity and thus require more stringent protection measures.You should also identify the source of the document. A document may be generated by a Word Processing program, but may also be generated by a financial reporting tool in the form of a spreadsheet. In many cases, these documents are not protected once they leave your system. Once we know the type of data and the various data sources, we can apply protection.
Once you have identified and classified the data and data sources, how do you protect those documents?
Access Control, Least Privilege, and Education. Not everyone may need access to the most sensitive documents handled by your law firm. When it comes to granting access to users to documents, follow the principle of “least privilege” – grant the most restrictive set of privileges needed to perform authorized tasks. This may include the ability to download information from a system. For example, you may want to limit the ability of employees to download financial data from your case management system.
Identify the users that do generate, process or possess sensitive documents. Typically, it’s only a handful of people within the firm. Identify “trusted” users and are consciously aware of the kind of information they are handling and have agreed to be “trustworthy” to handle the information. Focus on educating and training those users about the sensitivity of the information they are protecting and how to do it properly.
Apply a Digital Watermark. Like in a clothing store, if you leave the store without paying for the article, an alarm goes off, a digital watermark works in the same manner. You can use a “data loss prevention tool” such as Symantec Data Loss Prevention or McAfee Total Protection to configure your system to alert you if someone tries to share a watermarked document via email. This is particularly important because even if you do encrypt or password protect a document, once the recipient has access to the document, they can remove the protection and can share at will. Applying a digital watermark can help prevent subsequent sharing of the unprotected document.
Remove Metadata. Documents are rich with information that is not always visibly discernible. Don’t disseminate documents without stripping them of that metadata. You can do this via Microsoft Word and Adobe Acrobat among other products.
Encrypt. At a moment in time wrought with data breaches and cyber-threats, encryption is a good way to secure your client’s data and meet your ethical obligations. Encryption, in layman’s terms, scrambles your data into an unreadable format and is one of the best methods of protecting your digital data. With the ubiquity of tools to secure your data comes easy to use interfaces and instructions. Any lawyer can encrypt sensitive data, and in most cases for free. Here’s how.
Physical Devices. One of the most common reasons for inadvertent disclosure of client data or loss of client data is stolen and lost laptops or devices. Even an amateur cyber criminal can easily extract the contents of an unencrypted hard drive. If you have not encrypted the hard drive of your laptop, you should do so today. Encrypting your laptop is a simple process and should not impact your work. Once you turn on hard drive encryption, each time you log off your computer, the entire contents of your hard drive are encrypted. When you log back in, the contents are unencrypted for use. The activation process for both Mac and Windows computers is quite straightforward.
. . . .
Files and Folders. File and folder encryption can be helpful for a couple of reasons. It’s worth understanding how to encrypt files and folders for a number of reasons. First, rather than encrypting your entire hard drive, you could decide to only encrypt a certain folder with sensitive client data. If you are diligent in storing all your sensitive files in one folder, this is a fine option. The problem, however, is that many times a file on your computer may not be located in just one place. For example, say you receive an email with a sensitive client file attached, which you then open using Outlook on your desktop. That attachment is automatically saved somewhere on your local hard drive. Furthermore, if you download the document to your desktop or downloads folder and forget about it, that file will reside in yet another place on your hard drive. If you’ve only encrypted one folder and not your entire hard drive, that file can likely be accessed in an unencrypted area of your hard drive. Second, encrypting a file or folder is a simple way to secure data and email it to a recipient.
Now, what about sharing documents? How do you do so in a secure fashion?
Below are four different methods you can use to securely share files over the Internet.
- Encrypt Individual Files or Folders and Send Via Email. As noted above, you can encrypt individual files and folders and attach those to an email. Then, either call or text the recipient with the encryption key (i.e. password) (just don’t send the password in the same email as your attachment), secure the files with only information that the recipient would know (i.e. Social Security number) and alert them, or secure the files with a pre-agreed upon password.
- Use a Secure Cloud Storage Program and Share the Link with the Recipient. You can accomplish this with services such as Dropbox, Box, and Google Drive. (As an aside, you should vet all cloud-based providers before using their service and take certain security precautions, such as using strong passwords and implementing two-factor authentication.) First, save the file to the cloud storage program and then share the file link with only the recipient.
- Use a Secure Client Portal. Most case management systems such as Clio, RocketMatter, MyCase, Cosmolex, and ZolaSuite have a secure client portal to communicate with clients. All your client needs is a username and password. You decide what to share with your client via the portal. This also helps keep your client informed and reduce email correspondence.
- Use an Email Encryption Service. There are many available and all work a bit differently. For example, Streak Secure Gmail is a simple add-on to Gmail. To encrypt a message, you select the lock button next to “Compose” to compose a new secured message. Streak will encrypt the entire contents of the email and attachments. All you need to do is set a password and give your recipient a hint. The recipient receives a garbled email with your hint and a prompt to enter a password.
More sophisticated services such as ZixCorp offer the ability to set rules that will trigger when you try to send emails containing certain information, such as a social security or financial account number. The recipient can view the email and attachment after registering their email address with ZixCorp and creating a password.
For additional encryption services, take a look at Citrix ShareFile, Enlocked, Go Daddy Office 365 Add-On, HushMail, Microsoft 365, RPost, Sendinc, Trend Micro, Trustifi, Virtu, ProtonMail, and Voltage. When selecting any email encryption service test it out to determine how how easy or difficult it is to use both on the sender and recipient’s end.
Finally, in order to keep your documents secure, you must monitor the usage of documents.
Review: Review access lists and update them to ensure only the right people have access. Ensure that when employees leave the firm, all their access is deactivated. It is easy to deactivate email accounts, computer logins, and other internal access IDs, but oftentimes access to other systems, such as Dropbox, case management, etc. is overlooked.
Track: Know where your document is, who, when and how it is being used. For example, you can use services like Microsoft Azure Information Protection (AIP) to track documents or other (free) technical solutions such as Canary Tokens (https://canarytokens.org).
Revoke: Revoke the document, access to it, or access of a specific user if you believe the document is compromised.
Heidi S. Alexander, Esq. is the Deputy Director of Lawyers Concerned for Lawyers, where she helps manage organization operations and leads the Massachusetts Law Office Management Assistance Program (LOMAP). LOMAP provides free and confidential practice management assistance, guidance in implementing new law office technologies, and methods to attain healthy and sustainable practices. She is the author of Evernote as a Law Practice Tool and serves on the ABA’s TECHSHOW Planning Board. In 2017, Heidi was appointed to the Massachusetts Supreme Judicial Court’s Standing Advisory Committee on Professionalism.
Shamla Naidoo is an accomplished information security executive with more than 25 years of experience. As the Global Chief Information Security Officer of IBM, Shamla is the company’s top information security executive, responsible for safeguarding IBM globally including all its business units and brands. She is responsible for IBM’s overall information security program, which includes the company’s information risk and security strategies, planning, governance, architecture, and operations.